If the HYCU Server or Web UI uses discretionary access control, the network device must enforce organization-defined discretionary access control policies over defined subjects and objects.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-246823	HYCU-AC-000005	SV-246823r768133_rule		Medium

Description
Discretionary Access Control (DAC) is based on the notion that individual network administrators are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. Satisfies: SRG-APP-000328-NDM-000286, SRG-APP-000329-NDM-000287

Description

Discretionary Access Control (DAC) is based on the notion that individual network administrators are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. Satisfies: SRG-APP-000328-NDM-000286, SRG-APP-000329-NDM-000287

STIG	Date
HYCU for Nutanix Security Technical Implementation Guide	2021-08-03

Details

Check Text ( C-50255r768131_chk )
HYCU offers the capability to leverage RBAC controls within the Web UI's Self-Service menu. The organization would need to generate and document its own specific requirements around using RBAC in HYCU. For the HYCU VM console, administrators should only allow access to anyone else deemed to be qualified as a server administrator for the system. Review the groups and accounts within Web UI's Self-Service menu. If any RBAC setting does not meet the organization's own guidelines, this is a finding.

Check Text ( C-50255r768131_chk )

HYCU offers the capability to leverage RBAC controls within the Web UI's Self-Service menu. The organization would need to generate and document its own specific requirements around using RBAC in HYCU.

For the HYCU VM console, administrators should only allow access to anyone else deemed to be qualified as a server administrator for the system.

Review the groups and accounts within Web UI's Self-Service menu.

If any RBAC setting does not meet the organization's own guidelines, this is a finding.

Fix Text (F-50209r768132_fix)
Ensure the correct RBAC controls and access are applied properly within the HYCU Web UI's Self-Service menu. Avoid granting too much access to any particular user or group. Ensure that any needed DACLs are also being applied to and enforced on any OUs or groups in Active Directory that are being leveraged within the HYCU Web UI Self-Service menu. For the HYCU VM console, administrators should only allow access to anyone else deemed to be qualified as a server administrator for the system. To check for any unauthorized users, run the following command within the HYCU Web console: cat /etc/passwd Use the "userdel" command to remove any unauthorized users.

Fix Text (F-50209r768132_fix)

Ensure the correct RBAC controls and access are applied properly within the HYCU Web UI's Self-Service menu. Avoid granting too much access to any particular user or group.

Ensure that any needed DACLs are also being applied to and enforced on any OUs or groups in Active Directory that are being leveraged within the HYCU Web UI Self-Service menu.

For the HYCU VM console, administrators should only allow access to anyone else deemed to be qualified as a server administrator for the system.

To check for any unauthorized users, run the following command within the HYCU Web console:
cat /etc/passwd

Use the "userdel" command to remove any unauthorized users.